Ghansham Mahajan » Linux » Enabling SELinux on Ubuntu 22.04 – Real-World Fix for Boot & Service Failures

Enabling SELinux on Ubuntu 22.04 – Real-World Fix for Boot & Service Failures

By | |

Overview

Recently, we received a support request from a user who attempted to enable SELinux on Ubuntu 22.04. However, after setting the SELinux mode to enforcing, the server failed to boot properly, and several critical services were blocked by SELinux policies.

In this blog post, I’ll walk you through how we diagnosed the issue, created custom policies, and safely applied SELinux in a production-ready Ubuntu environment.

User Request

“We have Ubuntu 22.04 servers where we’re trying to enable SELinux. After setting SELinux to enforcing mode, the server doesn’t start correctly—some services are not getting whitelisted in the SELinux policy.”

Initial Observations

Ubuntu uses AppArmor by default, not SELinux. Enabling SELinux involves:

  • Installing additional packages
  • Changing bootloader configs
  • Replacing AppArmor if required

Since SELinux in enforcing mode was blocking some operations, we opted for a safe rollback to permissive mode for analysis.

Resolution Steps

1️⃣ Installed Required SELinux Packages

sudo apt update
sudo apt install selinux selinux-basics selinux-policy-default auditd -y

2️⃣ Activated SELinux and Set to Permissive

sudo selinux-activate
sudo selinux-config-enforcing permissive

We also edited the GRUB bootloader:

sudo nano /etc/default/grub
# Added:
GRUB_CMDLINE_LINUX="selinux=1 security=selinux"
sudo update-grub

3️⃣ Rebooted & Verified SELinux Status

sestatus
# Output:
SELinux status: enabled
Current mode: permissive

Analyzing Denied Operations

Once booted in permissive mode, we used auditd to trace blocked actions.

sudo ausearch -m avc -ts today

and

sudo cat /var/log/audit/audit.log | grep denied

We even generated a full HTML-style summary using:

sudo sealert -a /var/log/audit/audit.log

Creating & Applying Custom SELinux Policies

We found that nginx and a few custom Python services were being blocked. We generated custom policies using:

sudo grep denied /var/log/audit/audit.log | audit2allow -M custom_policy
sudo semodule -i custom_policy.pp

This allowed SELinux to permit only those actions that were logged and confirmed as necessary.

Switching to Enforcing Mode

After verifying everything worked in permissive mode, we switched to enforcing:

sudo setenforce 1

And made it permanent:

sudo nano /etc/selinux/config
# Changed to:
SELINUX=enforcing

Final Checks

  • Verified that no services were failing: bashCopyEditsudo systemctl --failed
  • Monitored SELinux logs for residual issues: bashCopyEditsudo ausearch -m avc -ts recent

Everything was clean, stable, and secure!

Conclusion

Enabling SELinux on Ubuntu 22.04 can add a strong security layer—but it needs careful planning, especially in a production environment. We always recommend:

  • Starting with permissive mode
  • Monitoring and analyzing denials
  • Applying only required policies

If you’re considering SELinux or AppArmor for your Linux servers, feel free to reach out — we’re happy to help make your infrastructure secure and reliable.

SELinux Project

Ubuntu Wiki – SELinux

Bookmark the permalink.

Comments are closed.